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Abstract —In this paper, we consider the problem of syn¬ 
thesizing correct-by-construction controllers for discrete-time 
dynamical systems. A commonly adopted approach in the 
literature is to abstract the dynamical system into a Finite 
Transition System (FTS) and thus convert the problem into a 
two player game between the environment and the system on 
the FTS. The controller design problem can then be solved using 
synthesis tools for general linear temporal logic or generalized 
reactivity(l) specifications. In this article, we propose a new 
abstraction algorithm. Instead of generating a single FTS to 
represent the system, we generate two FTSs, which are under¬ 
and over-approximations of the original dynamical system. We 
further develop an iterative abstraction scheme by exploiting 
the concept of winning sets, i.e., the sets of states for which there 
exists a winning strategy for the system. Finally, the efficiency 
of the new abstraction algorithm is illustrated by numerical 
examples. 

1. Introduction 

The systems that are considered for control purposes have 
changed fundamentally over the last few decades. Driven by 
the advancements in computation and communication tech¬ 
nologies, the systems of today are highly complicated with 
large amounts of components and interactions, which poses 
great challenges to controller design. This is exemplified in 
[19] where the controller for an autonomous vehicle became 
so unwieldy that it was impossible to foresee the failure of 
it, resulting in a crash. 

In order to tame the complexity of modern control sys¬ 
tems, synthesis of correct-by-construction control logic based 
on temporal logic specifications has gained considerable 
attention in the past few years. A commonly adopted ap¬ 
proach is to construct a Finite Transition System (FTS) which 
serves as a symbolic model of the original control system, 
which typically has infinitely many states. The controller, 
which is represented by a finite state machine, can then 
be synthesized to guarantee certain specifications on the 
system by leveraging formal synthesis tools [10]. Such a 
design procedure has been applied to various fields including 
robotics (e.g. [5], [6], [2], [7], [4]), autonomous vehicle 
control [18], smart-buildings [13] and aircraft power system 
design [9]. 

One of the main challenges of this approach is in the 
abstraction of the control system, whose state space is con¬ 
tinuous and potentially high dimensional, into a finite state 
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model. Zamani et al. [21] propose an abstraction algorithm 
based on approximate simulation relations and alternating 
approximate simulation relations. They prove that if certain 
continuity assumptions on the system trajectory hold, then 
an FTS can be generated by partitioning the state space into 
small hypercubes. Similar ideas are also presented in [14] 
and [15]. 

A different, iterative, approach has been proposed that first 
generates a coarse model of the original system and then 
refines the model based on reachability computations [18], 
[17]. This algorithm has been implemented in a software 
package, namely TuLiP [20], and will be compared to the 
method proposed in this paper. 

Most of the algorithms available in the literature gen¬ 
erate the finite state model independently of the system 
specifications. As such, the abstracted model can be used 
for any possible specification. However, this typically leads 
to a partition of the state space into equally fine regions 
everywhere. As a consequence, the time complexity of such 
general abstraction procedures is quite high and it increases 
with the dimension of the system. 

In this article, in hope to reduce the computational com¬ 
plexity of the abstraction algorithm, we create the finite 
state models of the system by exploiting the structure of the 
specifications. To be specific, we create two FTS models for 
the control system, where one is an over-approximation of 
the control system and the other is an under-approximation. 
By solving the synthesis problem on both FTSs, we can cat¬ 
egorize the points in the state space into, what we refer to as, 
winning, losing and maybe sets. Conceptually, the winning 
set contains those points for which a correct controller is 
known, i.e., roughly, a controller that can fulfill the given 
specifications. On the other hand, the losing set contains 
those points for which we know that no correct controller 
exists. Lastly, the maybe set represents the points for which 
the existence of a correct controller is not yet known since 
the current model is not fine enough to represent the original 
system. One can view the winning and losing sets as the 
“solved” regions and the maybe set as the “unsolved” region. 
We can thus focus our computational power on refining the 
abstraction of the regions of the state space that lie in the 
maybe set, while leaving the current winning and losing sets 
intact. 

The merits of our proposed algorithm are twofold; 

1) Instead of partitioning the state space into equally fine 
regions, we can concentrate the computational power 
on the regions for which the existence of a correct 
controller is not yet known. 



2) Compared to the abstract algorithm proposed in [18], 
[17], [20], for the case that the specifications are 
unrealizable (for the original continuous control sys¬ 
tem), our algorithm can provide proof that no correct 
controller exists. 


Ideas similar to our proposed method have been presented 
in [3] and [ 8 ]. Our algorithm does however allow us to 
skip some reachability calculations when performing the 
refinement, and can as such be seen as an extension. 

The rest of the paper is organized as follows: In Section [11] 
we provide an introduction to transition systems and linear 
temporal logic. The problem of abstracting a discrete-time 
control system into FTSs is proposed in Section jl^ The 
abstraction algorithm is then discussed in Section jlV] Two 
numerical examples are provided in Section [V] to illustrate 
the effectiveness of the proposed algorithm. Finally, Sec¬ 
tion 


VI concludes the paper. 


II. Preliminaries 

Most of the definitions in this section can be found in [18], 
but are included in this section for the sake of completeness. 
For a more thorough presentation, see e.g. [1]. 


A. Transition Systems and Linear Temporal Logic 

Definition 1. A system consists of a set V of variables. The 
domain of V, denoted by dom{V), is the set of valuations 
of V. A state of the system is an element v G domiV). 

In this paper, we consider a system with a set V = S U 
8 of variables. The domain of V is given by dom{V) = 
dom{S) X dom{£), where a state t; G dom{S) is called the 
controlled state and a state e G dom{8) the uncontrolled 
environmental state. As a result, the state v can be written 
as (>?, e). We further assume that the set dom{£) is finite. 

Definition 2. A transition system (TS) is a tuple T := 
(V, Vinit,—>) where V C dom(V) is a set of states, Vinit ^ 
V is a set of initial states and —J-C V x V is a transition 
relation. Given states G V, we write —>■ i/j if there 

is a transition from Vi to lyj in T. We say that T is a finite 
transition system (FTS) if V is finite. 


Definition 4. The satisfaction relation \= between an exe¬ 
cution (infinite sequence of system states) cr = • and 

an LTL formula is defined inductively as 
. a \= p if 1^0 \= p. 

• a \= ^(f if a does not satisfy (p. 

• a[=ip\/'ip if a\=ipova\= Ip. 

• a \= Op if viV 2 

• a p U fit if there exists an * > 0, such that 

... 1 = I/) and for any 0 < fc < i, ... \= p. 

For a more in-depth explanation of LTL, see [1]. 

It is well known that the complexity of synthesizing a 
controller for a general LTL formula is double exponential 
in the length of the given specification [11]. However, for 
a specific class of LTL formulas, namely those known 
as Generalized Reactivity(l) (GRl) formulas, an efficient 
polynomial time algorithm [10] exists. As a result, in this 
article, we will restrict the specification to be a GRl 
formula, which takes the following form: 

M N 

T= ( 1 ) 

i=l 3=1 

where each pi, qj is a Boolean combination of atomic propo¬ 
sitions. 

B. Winning Controllers and Winning Sets 

Definition 5. A controller for a transition system (12, "Finit, 
—>■) and environment £ is an ordered set of mappings 7 ^ : 
5 X iS, i.e., 7 = ( 71 , 72 ,..., 7 t,...), each taking the 

initial controlled state <^[ 0 ] and all the environmental actions 
up to time t — 1, e[0] ... e[f — 1], giving another state in S 
as output. Furthermore, a controller 7 is called consistent if 
for all t and (r[ 0 ], e[ 0 ], ..., e\t + f], the following transi¬ 
tion relation is satisfied: ( 7 t(<r[ 0 ], e[ 0 ], ... ,e[t — 1 ]), e[t]) 
( 7 t+i(<^[ 0 ],e[ 0 ],...,e[f]),e[f-f Ij). 

Definition 6 . Given an infinite sequence of environmental 
states e[ 0 ]e[l]..., a controlled execution a using the con¬ 
troller 7 and starting at <j[ 0 ] is an infinite sequence a = 
vqVi--- = (<^[ 0 ], e[ 0 ])(c[l], e[l])..., such that + 1 ] = 
7 t(<?[ 0 ],e[ 0 ],...,e[f-f 1 ]). 


Definition 3. An atomic proposition is a statement on system 
variables v that has a unique truth value for a given value 
of V. Letting v G dom{V) and p be an atomic proposition, 
we write 1 / \= p if p is true at the state i/. 

We will use Linear Temporal Logic (LTL), which is 
an extension of regular propositional logic that introduces 
additional temporal operators, to formulate specifications 
on a system. In particular, apart from the standard logical 
operators negation (^), disjunction (V), conjunction (A) and 
implication (^), it includes the temporal operators next (Q), 
always (□), eventually (0) and until {U). LTL formulas are 
defined inductively as 

1) Any atomic proposition p is an LTL formula. 

2) Given the LTL formulas p and fi-, —<p, pVip, Ot 
pU ip are. LTL formulas as well. 


Definition 7. A set of controlled states W is winning if 
there exists a consistent controller 7 , such that for any infinite 
sequence of e[0]e[l]... and any initial controlled state ?[0] G 
yy, the controlled execution a using controller 7 starting 
at <;[0] satisfies the GRl-specification p. The corresponding 
controller 7 is called a winning controller for W. 

The following observations are important for the rest of 
the paper: 

Proposition 1. Let {Wijigi be a collection of winning sets, 
then the set IJjgx winning. 

As a result, there exists a largest winning set, which leads 
to the following definition: 

Definition 8. The largest winning set, W, of a transition 
system T, for the specification p, is defined as the union of 



all winning sets, i.e., 


IV. Abstraction Algorithm 


W{T,^)= U W. (2) 

W is winning 

The losing set, L, is defined as 

L{T, ip) = dom{S) \ W{T, ip). (3) 

A state is called a losing state if S L{T, ip). 

Remark 1. Notice that the controllers defined in Definition|5] 
have infinite memory (since they require all environmental 
actions e[0]e[l]...). However, from [10], we know that for 
a finite transition system, if a winning controller exists, there 
will also exist a winning controller with finite memory. 

III. Problem Formulation 
W e consider the following discrete-time control system: 

s[t + l] = f{s[t],u[t]), 

u[t\ G U, s[f] G dom{S), (4) 

s[0] G S'init) 

where dom{S) C K", S'init C dom{S) is the set of possible 
initial states, U C K’" is the admissible control set and / the 
system dynamics (possibly non-linear). It is evident that the 
discrete-time control system is completely characterized by 
/, U, dom{S) and Sinit, which leads to the following formal 
definition: 

Definition 9. A discrete-time control system E is a quadruple 
E 4 (/, U, dom{S), Sinit). 

A discrete-time control system E can be converted into a 
transition system in the following manner: 

Definition 10. Let E = (/, U, dom{S), Sinh) be a discrete¬ 
time control system. The transition system TS(E) = 
(V, Viral, —>) associated with E is defined as: 

• V = dom[S) X dom{S). 

• '^init — 5'init X doiTl(^S). 

. For any (si, ei), ( 32 , 62 ) € V, (si, ei) ( 32 , 62 ) if and 
only if there exists u G U, such that 32 = f{si,u). 

The problem of controller synthesis for the discrete-time 
control system E can be written as a controller synthesis 
problem for TS'(E) as follows: 

Problem 1. Realizability: Given TS{T,) and a specification 
p, decide whether Sinit is a winning set. 

Problem 2. Synthesis: Given TS'(E) and a specification p, 
if Sinit is winning, construct the winning controller 7 . 

In general. Problem [T] and are very challenging, even for 
a very simple formula p [16], [12]. As a result, we will attack 
this problem by leveraging the tools developed for controller 
synthesis for FTSs. The main difficulty in directly applying 
these techniques is that TS'(E) has infinitely (uncountably) 
many states. In the next section, we develop abstraction 
techniques to convert TSifiS) into FTSs. 


In this section, we abstract TSiJfi) into two FTSs with 
the same set of states by partitioning the state space into 
equivalence classes. We will refer to 3 G dom{S) as a 
continuous state for TS'(E) and any state of the FTSs 
as a discrete state. 

A. Constructing the Initial Transition Systems 

Our proposed method builds upon the idea of creating 
an over-approximation and an under-approximation of the 
reachability relations of the system. To this end, we (itera¬ 
tively) construct two FTSs. One that we will refer to as the 
pessimistic FTS and one that we will refer to as the optimistic 
FTS. We introduce the notation Do ^ = (V^*\ —J-o ^) and 

Dp ^ = (V^*\ v/|*|, —tp'^), respectively, for the ith iteration of 
these FTSs (i.e. those constructed in the ith iteration of the 
algorithm). 

To simplify the notation, we define two reachability rela¬ 
tions as: 

Definition 11. The relation 7^p : ^ {0,1} 

is defined such that TZp{X, V) = 1 if and only if for all x G 
X, there exists an y G Y and u G U, such that /(x, u) = y. 

Definition 12. The relation TZo : ^ (0,1} 

is defined such that TZo{X,Y) = 1 if and only if there exist 
X G X, y G Y and u G U, such that f{x, u) = y. 

Remark 2. Informally, TZp indicates whether there is some 
control action for every continuous state in a region X that 
takes that state to some state in the region Y in one time 
step. TZo indicates whether there is some point in X that 
can be controlled to Y in one time step. The results can be 
generalized to longer horizon lengths, but for simplicity we 
only consider reachability in one time step. 

We further define a partition function of the continuous 
state space dom{S): 

Definition 13. A partition function of dom{S) is a mapping 
Ts : dom{S) -G S. The inverse of Ts is defined as : 
5 ^ such that 

^5 ^(^) = (s G dom{S) : Tsis) = <r}. 

Definition 14. The partition function T 5 on dom{S) is called 
proposition preserving if for any atomic proposition p and 
any pair of continuous states Sa,Sb G dom{S), which satisfy 
Ts{sa) = Ts{sb), we have that Sa \= p implies that Sb H P- 

If Ts is proposition preserving, then we can label the 
discrete states with atomic propositions. To be specific, we 
say c H P if only if for every 3 G T^^(c), we have that 
3 |=p. 

To initialize the abstraction algorithm, we assume that 
we are given the atomic propositions on the continuous 
state space dom{S). We can then create a proposition 
preserving partition function Tjco), a set of discrete states 
and a set of initial discrete states 
C The state space and the initial state 


H'nit defined as = 5^°^ x dom{£) and = 

S,^°l X dom(£). 

Next, we perform a reachability analysis to establish the 
transition relations in and . For every pair of states, 

= (<^a,ea), Vb = isb, Ba), we add a transition in from 
i/a to z/f, if and only if 7^p(r“(o,(ca),(c{,)) = 1 and a 
transition in if and only if TZo(T~^l^ (ca), T“(J) {%)) = 1. 

Remark 3. is optimistic in the sense that even if only 

some part of a region corresponding to a discrete state can 
reach another, we consider there to be a transition between 
these two discrete states. In we require every point in a 
region corresponding to a discrete state to be able to reach 
to some point in the other for there to be a transition. 

The idea is illustrated in Figure [T] Given an initial propo¬ 
sition preserving partition of the continuous state space (the 
colored quardrants), the two FTSs can be constructed using 
a reachability analysis. An arrow from a region separated by 
a solid or dashed line to another region means that there is 
some control action taking the system from the first region 
to the other. For simplicity, we assume that the environment 
does not have any variables. 




Fig. 1. Construction of and given an initial proposition 

preserving partition of the state space (the four colored quadrants) and a 
reachability analysis (illustrated by the lines and arrows in the state space). 
For simplicity, the environment is assumed to have no variables. 

We now provide two theorems regarding the (largest) 
winning sets of and the proofs of which 

are reported after the statements of the theorems for the sake 
of legibility. 

Theorem 1. For any discrete state cfO] G VF(Dp°\(^) that 
is winning for the pessimistic FTS Dp , the corresponding 
continuous state is also winning in TS'(S), i.e., (c[0]) 

CW{TSi£:),ip). 

Theorem 2. For any continuous state s[0] € kF(T5'(S), yi) 
that is winning for TS(Jf), the corresponding discrete state 
is also winning in Do°( i.e., T 5 (o)(s[ 0 ]) G lV(Di°\i^). 

Proof of Theorem Suppose the winning controller for 
kF(D^°\(/j) is 7 p = (7p^i,7p,2,...,7p,t,---)- Consider a 
discrete state c[0] = T'5(o)(s[0]) S kF(Dp°\(/j). For all 
possible environmental actions e[0]e[l] ..., we can create the 
controlled execution using 7 p. This gives a sequence of states 
(<;[0], e[0])(c[l], e[l]) ..., which satisfies the specification p. 

Consider now a continuous state s[0] S T^(J)(c[0]). From 
the construction of Dp°^, we know that 


Thus, we can recursively define the consistent continuous 
controller 7 = ( 71 , 72 ,. •.) to be 

1 ) 7 i(s[ 0 ], e[ 0 ]) returns an s[l] G T“(o)(c[l]) such that 
there exists an u[0] G U and /(s[0],u[0]) = s[l]. 

2) 7 t+i(s[ 0 ], e[0],..., e[f]) returns an s[t + 1] G 

+ 1]) such that there exists an u[t] G U and 

/( 7 t(s[ 0 ],e[ 0 ],...,e[f- l]),w[f]) 

= 7 t+i(s[ 0 ],e[ 0 ],...,e[f]). 

As a result, we have a sequence (s[0], e[0])(s[l], e[l])..., 
where r 5 (o)(s[f]) = c[f]- Hence, the controller 7 is also 
winning at s[ 0 ], which completes the proof. □ 

Proof of Theorem^ Suppose 7 = ( 71 , 72 , ■■•) is winning 
for lV(rS'(E), (/j) and s[0] G 1V(TS'(I]), 1 ^). For all possible 
environmental actions e[ 0 ]e[l]..., we create a controlled ex¬ 
ecution using 7 : (s[ 0 ], e[ 0 ])(s[l], e[l])..., which is winning. 

Now consider the discrete state c[f] = T 5 (o)(s[f]). By the 
definition of TZo, we know that 

(c[f],e[f])^(°) (,[t + l],e[t + l]). 

As a result, we can construct a consistent controller 70 = 
( 70 , 1 ,...) for c[ 0 ] = Ts(o)(s[ 0 ]) as 7 o,t(c[ 0 ], e[ 0 ],..., e[f- 
1]) = r 5 {o) ( 7 i(s[ 0 ],e[ 0 ],...,e[i-1]). Thus, we get a 
sequence (c[ 0 ], e[ 0 ])(c[l], e[l])..., where c[f] = T^co) (s[f]). 
Hence, the controller 70 is winning at c[0], which completes 


the proof. □ 

We now define the following three sets; 

VpW = 1V(D«,(/5), (5) 

referred to as the winning set, 

/:W=L(D«,(^) (6) 

as the losing set', and 

(7) 


as the the maybe set. We can further define the inverse image 
of these sets on dom{S) as Wc'^ = = 

and AfW = TjJ,(7WW). 

By Theorem and it is clear that 

1) If Sinit G Wc^\ then Smit is a winning set for 
rS'(E). Furthermore, the winning controller can 
be constructed in a similar fashion as is discussed 
in the proof of Theorem fTl 

2) If Sinit n 7 ^ 0, then S^nit is not a winning 
set for TS'(S). 

3) If neither 1) nor 2) is true, then a finer partition is 
needed to answer the Realizability Problem. 

For case 3), one may naively create a finer partition 
function and the corresponding pessimistic and optimistic 
FTSs. In the next subsection, we show how to iteratively 
do this in order to reduce the computational complexity of 
the abstraction algorithm by exploiting the properties of the 
winning set. 












dom{S) 



B. Refinement Procedure 

We define a refinement operation as 

splits : X {1,..., m} ^ (8) 

such that for all X C dom{S) and i,j G {1, ■ ■ • ^ 

j, it has the following properties: split^(X, f) C X, 

m 

splits(X,f) n split^(X, j) = 0 and IJ splits(X,fc) = 

fc=i 

X. 

Remark 4. The index m on splits is the number of 
children that a region should be split into upon rehnement. 
We leave it unspecihed how to choose m and the exact shape 
of the regions generated by split^, since the exact details 
are not relevant for the algorithm. In the implementation in 
Section |Vj a split of X C K" into 2" equally sized hy¬ 
perrectangles was used (assuming that the initial proposition 
preserving partition consisted only of hyperrectangles). 

We will focus our computational resources (i.e. perform 
a further rehnement) on the states in the maybe set 
Intuitively, these states have the potential to become winning 
when we create hner partitions. With 5*-®^ and Tg(i) as the 
set of discrete states and the partition function of the fth 
iteration, respectively, we dehne and T^ci+i) in the 

following way: 

1) If ^ e U £(*), then {<;, 1) S and 

2) If then for all j = 1,..., m 

and 

r5(-+i)((^,j)) = split^(T-J,(^),j). 

Given the discrete states, the state space can be 

dehned as )2(®+^) = 5^®+^^ x dom{£), and the initial states 
can be dehned in a similar fashion. 

Remark 5. One can consider the discrete state spaces 

... to form a forest (a disjoint union of trees), where 
the states in are the roots and G 5^®+^^ is the jth 
child of G 5(®). 

A simple example of the rehnement procedure is provided 
in Figure An initial preposition preserving partition is 
constructed from the continuous state space dom{S), which 
in this case, results in three discrete states (and corresponding 
regions in the continuous state space). The discrete states are 
marked as to belonging to either the winning (crosshatched 
green), maybe (solid yellow) or losing (dotted red) set. To 
rehne the partition, the splitg-operator (using equally sized 
rectangles as partitions) is applied to the state in the maybe 
set, namely <^ 2 . The rehned partition can be seen in the 
rightmost hgure, where a new reachability analysis has been 
performed. The next step of the procedure would further 
rehne the new maybe set, (<t2,3). 

We now dehne the transition relations of the two FTSs. 
We begin with the relations in the pessimistic FTS. For any 
two states {<;a, j), {‘it, k) G 5^®'*'^^ and environmental states 


Fig. 2. An example of the proposed refinement procedure. An initial 
preposition preserving partition is constructed in the first step. The regions 
ai‘e labeled with their corresponding discrete state. The states are colored 
differently depending on if they belong to the winning (crosshatched green), 
maybe (solid yellow) or losing (dotted red) set. The split 3 -operator is used 
to further refine the states in the maybe set (only one iteration is illustrated). 

Ca, 66, we have that ((‘ra,i),ea) {{%,k),eb) if and 

only if one of the following statements holds: 

1) WW-transition: G W^®\ j = k = 1 and 

(Ca;6a) 

2) MW-transition: G % G W*'®^ k = 1 and 

7^p( ( (<ta, j)), ( (ft, 1))) = 1. 

3) MM-transition: <;aXb G Ad^®^ and 

'^pi "fsti+i) ( ), ((ft, k))) = 1. 

Remark 6. WW stands for a transition between two winning 
states, and analogously for MW and MM. Notice that we 
omit many possible transitions. This allows us to focus on 
the critical transitions that affects the computation of the 
winning set. The rationale for this is that it is waste to check 
if, for example, a winning state can reach a maybe state, 
since we already know that there is a winning controller in 
the winning state. 

The update rule for the optimistic FTS is similar. We have 
that ((ft, j), Ba) ((ft, k),eb) if and only if one of the 

following three statements holds: 

1) WW-transition: <,aXb G W^®\ j = k = 1 and 

(ft, 6a) ^p^ i^^bi ^b\ 

Notice that we are using the transition relation — 

(i) 

instead of -Go for this case. 

2) MW-transition: ft G AI*'®\ ft G yV’^®\ fc = 1 and 

)’ ^5(i-i-i)( (ft) 1))) = 1- 

3) MM-transition: (^aXb G M.X) and 

^o(T-J^,)((ft,j)), T-()+,)((ft,fc))) = 1. 

We will now expand upon Theorem [T] and S to pro¬ 
vide a characterization of the winning sets W(Jip ,Lp) and 
FF(Do\(/j). The proofs of the following theorems are de¬ 
ferred to the appendix for the sake of legibility. 

Theorem 3. For any discrete state ^[0] G W{Op\{p) that 
is winning for the pessimistic FTS Dp ( the corresponding 
continuous state is also winning in TS{X), i.e., 

T-^m) ^W{TS{X),p). 


(9) 




























Furthermore, its child (<j[0],l) is also winning for 
i.e.. 


(<r[0],l)e (10) 


Theorem 4. For any continuous state s[0] € W(TS(U), (p) 
that is winning for TS{Yf), the corresponding discrete state 
is also winning in Do \ i.e., 

Tsi^)is[0])eW{D^:\ip). ( 11 ) 

Furthermore, if the discrete state ij[0] G is losing 

(i) fi+l) 

for Do , then its child is also losing in Do , i.e., 

(^[0],1 )gL(D(*+i),(^). (12 ) 

Combining Theorem and we have the following 
corollary; 

Corollary 1. C C • • • C W{TS{Yfj, p) C ■ ■ ■ C 

dom{S) \ C dom{S) \ d'c^. 

The box outlining the algorithm for the first iteration can 

be straight-forwardly adjusted with Theorem and to 

outline the full algorithm. 

(i) 

1) If Sinit C Wc , then Sinit is a winning set for 
TSfS,). A winning controller can be constructed 
in a similar fashion as is discussed in the proof of 
Theorem [T] 

2) If Sinit n 0, then Sinit is not a winning 

set for TSfE). Thus, we can stop the refinement 
procedure because there is no winning controller. 

3) If neither of the above statements is fulfilled, then 

we cannot give a definitive answer on whether 
Sinit is winning or not at the ith iteration. As a 
result, we create the FTSs and Do and 

try to solve the winning sets for them. 

Remark 7. It is worth noticing that we do not use any special 
properties of the / function or the sets U, dom{S) and Sinit, 
except for the reachability relations that they induce. As a 
result, the algorithm presented in this article can be used to 
handle any transition system. 

V. Numerical Results 

In this section, we perform a comparison between the 
algorithm in TuLiP [20] and our proposed algorithm on two 
systems in (for simplicity and illustratory purposes, the 
algorithm is valid for higher-dimensional systems as well). 
All the simulations were performed on a MacBook Air (1.3 
GHz, 4 GB RAM). 

Consider the system 

s[f + 1] = /2s[i] + 

u[f] G [/= {u G : |u|oo < 1}, 
s[t] G dom{S) = [0,3] X [0,2], 
s[0] G 5init = [0,3] X [0,2], 


where I 2 is the identity matrix with two columns, with the 
following propositional markings in the state space: [0,1] x 
[0,1] as home and [2, 3] x [1, 2] as lot. Let the environment 
be equipped with a Boolean variable, park, and let the 
specification of system be the following: p — D()home A 
Oipark -G ()lot), which can be converted into GRl-form. 
Roughly speaking the specification implies that the system 
should visit the parking lot whenever the environment sets 
park true, and always returns back home. 

The algorithm employed by TuLiP [18] partitions the 
whole state space according to a reachability analysis until no 
region corresponding to a discrete state can be refined further 
without going below a pre-specified threshold volume. This 
leads to problems when the threshold volume is set too high, 
since not enough transitions can be established in the finite 
state model. As illustrated by the red crosses in Figure 
TuLiP failed to find a controller realizing the specification 
when the threshold volume was taken larger than 0.2. When 
the threshold was chosen below this value, it succeeded in 
finding a controller and announced that the specifications 
were realizable (green dots). 

Our implementation iteratively refines the partition of 
the state space until a controller can be synthesized (or, 
in the case that the specifications are unrealizable, until it 
can guarantee that none can be found). Furthermore, our 
algorithm only refines the “interesting” areas of the state 
space, which results in less computational time - indicated 
by the dashed blue line. Note that the time it took to “guess” 
the right threshold value for TuLiP is large. 

The next example shows the actual partition that results 
from the two methods. Consider the system 

s[f -f 1] = hs[t\ -f hu\f\, 

u[t] G [/ = {u G : |u[oo < 1}, 
s[f] G dom{S) = [0,4] X [0,4], 
s[0] G5i„it= [3,3.5] X [3,3.5], 

with the set of propositions; [0, 0.5] x [0, 0.5] as goal and 
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Fig. 3. Timing data for the current algorithm in TuLiP and our proposed 
algorithm. The specifications that we are considering for the continuous 
system are realizable, but TuLiP cannot synthesize a controller until the 
threshold volume is below 0.2. The dots and crosses indicate the time for 
TuLiP to partition the state space and then try to synthesize a controller, 
giving a positive or a negative answer, respectively, on whether the speci¬ 
fications are realizable. Our algorithm concludes that the specifications are 
realizable without taking any threshold volume as input, illustrated by the 
dashed blue line. 


















Fig. 4. (a) shows the partition by TuLiP of the system (D when the 

threshold volume was chosen to be 1.0. Regions of the same color are 
considered as one discrete state, (b) shows the partition resulting from our 
algorithm, with the winning (green), maybe (yellow) and losing (red) sets 
mai'ked. Here, every region is its own discrete state. 


[3,3.5] X [3,3.5] as start. For simplicity, assume that the 
environment has no variables. The initial assumption on the 
system is start and the progress specihcation of the system 
is D()goal. This means that the systems starts in start and 
should always eventually reach goal. 

A set fl is invariant if s(fo) G ^ s(f) G fl, Vf > fg 
and for all possible controls u{t). It is simple to show that 
the region \ [0,2]^ is invariant for ( [T4| l. Since start lies 
in an invariant region, that does not contain goal, we know 
a priori that there does not exist a winning controller. 

Figure]^) shows the partition that TuLiP provided when 
the threshold volume was set to 1.0. Note that the invariant 
region is hnely partitioned. The runtime of the algorithm 
was 620 s. No controller that fulhlls the specihcations could 
be synthesized using this abstraction. Note that from the 
output of TuLiP, it is not possible to say whether no 
winning controller exists, or if a winning controller of the 
original system exists but TuLiP cannot find it because of 
the partition being too coarse. 

The output of our algorithm can be seen in Figure]^). The 
coloring illustrates the winning (green), maybe (yellow) and 
losing (red) states. The states in the maybe set are marked as 
such since some of the continuous states in them lie within 
the invariant region, and some lie within the region that can 
reach goal. Since start lies in the losing set, the algorithm 
terminates and concludes with a definitive answer that there 
exists no winning controller (neither for the abstraction nor 
the original system). This took 25 s. 

VI. Conclusion 

In this paper we have presented an iterative method for 
abstracting a discrete-time control system into two FTSs, 
representing an under- and over-approximation of the reach¬ 
ability properties of the original dynamical system. We have 
provided theorems regarding the existence of controllers ful- 
hlling GRl-specifications for the continuous system, based 
on the existence of such controllers for the two FTSs. 
Our proposed algorithm provides a way of focusing the 
computational resources on rehning only certain areas of the 
state space, leading to a decrease in the time complexity of 


the abstraction procedure compared to previous methods. We 
have made a comparison between the proposed algorithm 
and the one currently used in the TuLiP-framework on 
numerical examples with promising results. 
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Appendix 

Proof of Proposition [^ Let us dehne an index function h : 
UiGi Wi —t I, such that for any ^ G UiGi following 





















set inclusion holds: 


Now assume that the winning controller for the set Wi 
is = (7^*^ 72*\ ..., ...). We can define the new 

controller 7 = (71,72,...) as 

7t(^[0], e[0],..., e[f-l]) = e[0],..., e[t- 1]). 

It is easily verified that 7 is a winning controller for 

a 

Lemma 1 . For any two sequences a = vqVi ..a' = 
v'qv'i .... such that a \= ip and a' |= p, where p is a GRl 
formula defined in Q. the following properties hold: 

1 ) Define a time-shifted sequence at = r'tr't+i .. then 
CTt \= P- 

2 ) Suppose that there exists r > 0 , such that Vr = z/g, 
then the following sequence vq ... Urv'iV2 ■■ ■ \= P- 

Proof. By definition, a \= p \f and only if 

M \ ( ^ \ 

^/\n0p.j V I I ■ (15) 

The lemma follows directly from the fact that the right hand 
side of CD is a liveness formula. □ 

Lemma 2 . Consider an FTS T and a GRl formula p. 
If the controller 7 is winning for some non-empty set 
yy, then for any initial condition ^[0] € W and en¬ 

vironmental actions e[0]e[l]..., the controlled execution 
(<;[0], e[0])(?[!], e[l])... satisfies 

4 t]ewiT,p),yt = 0 A,... . 

Proof. This result follows directly from Lemma [T] □ 

Proof of Theorem By the recursive definition of Dp ^ and 
D^*^, we know that for any Ca,*?;) G S^'^\ 

(^aj ^pl iSb-^t^b) 

implies that 

T^p{TsU^a)),T-^,{<.b))) = 1 . 

Hence, (|^ can be proved in a similar way as Theorem 
We now prove ( [T 0 | ). For the FTS Dp \ suppose the winning 
controller for = W(Dp\p) is 7A = (tA’A z’ ■ ■ ■ )• 
We can define the controller 7p*~''^^ = ( 7 A^^’Tp*A^ ■•■) 
for the FTS D^*+^^ as 

7 l 7 'HW 0 ],l),e[ 0 ],...,e[f-l]) 

= ( 7 AW 0 ].e[ 0 ],...,e[f-l]),l). 
Thus, the controlled execution of the FTS Dp is given by 
((^[0],l),e[0])((c[l],l),e[l])((^[2],l),e[2])..., 

which satisfies the specification p. Therefore, we only need 
to prove that the controller 7p*^^l is consistent. 

By Lemma we know that for any <^[ 0 ] £ the 

controlled execution (<j[0], e[0])... satisfies 

?[f] e yyi'i, 


which implies that the transition from 1 ), e[f]) to 

+ 1]) in Dp"''^! is a WW-transition and 
hence exists. Hence, 7 p*^^l is consistent, which completes 
the proof. □ 

Proof of Theorem We first prove CD. Notice that by 
the construction of Do*'''^^ if <j[0] S = L(Do\p), 
then ((<;[0], 1),e[0]) has no successors in Thus, 

(^[ 0 ], 1 ) G , p) since no consistent controller exists 

for (^[ 0 ], 1 ). 

We now prove CD by induction. Notice that we cannot 
use the same argument as Theorem 1^ since Sa —>■ Sb does 
not necessarily imply Tgii+i) (Sa) ~>'o Tg(i+i){sb). 

By Theorem we know that CD holds when i = 1. 
For the transition system TS'(E), suppose that the con¬ 
troller 7 = ( 71 , 72 ,...) is winning for W{TS{Y,),p). 
For any s[0] G W{TS{T,),p) and environmental actions 
e[ 0 ]e[l]..., we create a controlled execution using 7 : ct = 
(s[ 0 ], e[ 0 ])(s[l], e[l])..., which is winning. 

Let us define a hitting time r as 

r = inf{f G No : Tsi.-tfis[t]) G 

In other words, r is the first time that Tjci-i) (s[f]) enters 
the winning set We further assume that the infimum 

over an empty set is 00 . 

For the FTS Dp~^\ suppose that the controller 7 p = 
( 7 p 7 ,...) is winning for W{Op~^\p) = If r < 

00 , we define ^p[0] = Ljci-i) (s[t]) and ep[f\ = e[f + r]. Now 
we create a controlled execution using 7 p with environmental 
actions ep[ 0 ]ep[+l ]...: ap = (^p[ 0 ], ep[ 0 ])(<jp[l], ep[l])..., 
which is also winning. 

We now construct a controller 70 = ( 70 , 1 ,...) of the 
FTS Do*^ such that it is winning at <j[0] = r 5 (i)(s[ 0 ]). The 
construction can by divided into two steps: 

1) Iff < r, then 70 follows the winning controller 7 of 
the FTS TS'(E), i.e., 

7 o,t(<?[ 0 ],e[ 0 ],...,e[f- 1 ]) 

= ' 75 (.)( 7 t(s[ 0 ],e[ 0 ],... ,e[f - 1 ])). 

2) If f > r, we switch to the winning controller 7 p of the 

FTS i.e., 

7 o,t(<?[ 0 ],e[ 0 ],...,e[f- 1 ]) 

— (7p,t— t(‘>p[ 0], Cp[0],..., Cp[f T 1]), 1). 

Now we prove that 70 is winning at <^[0]. Define the 
controlled execution using 70 on the FTS Do to be 

o-o = (^o[ 0 ],e[ 0 ])(^o[l],e[l])... . 

We need to prove that cjo satisfies the specification and 70 
is consistent. The proof is divided into two cases depending 
on whether r = 00 or r < 00 . 

Case 1: T = 00 

By the definition of 70 , we know that 

^o[f] = Ts^i){s[t]). 

Since a is winning, we only need to check the consistency 
of 7 o, i.e., whether the transition from (<Jo[i], e[f]) to + 


1], e[i + 1]) exists in By Lemmawe know that 


s[t]&WiTS{E),^). 


And hence, by the induction assumption, 




By the fact that r = oo. 




As a result, there exists an jt € m}, such that <jo[f] 

is the jtth child of r 5 (i-i) (s[f]), i.e.. 




Furthermore, since there exists an u[t], such that 
f{s[t\,u[t]) = s[f + 1 ], we know that 




Hence, the transition from (<ro[f], e[f]) to + 1], e[f + 1]) 
is an MM-transition and it exists in And thus, 7 o is 
consistent. 

Case 2: T < 00 

By the construction of 7 ^, CTo satisfies 



Tgi,){s[t]) if t<T, 

(^p[f-r],l) if f > r. 


By Lemma and the fact that both a and ap satisfy (p, we 
only need to check the consistency of 70 , i.e., whether the 
transition from (ijo[f], e[f]) to + l],e[f + 1 ]) exists in 
This can be done in three steps: 

1) f < T — 1: 

By the same argument as for the case where r = 00 , 
we know that the transition from (<^o[i]j s[t]) to (^o[f + 
l],e[f + 1]) is an MM-transition and it exists in 

2 ) f = r — 1 : 

By the definition of t, we know that 


T5(,-i,(s[r- 1 ]) G Tsii-ois[T]) G 


Hence, the transition from (^o[''‘ ~ l]je['r — 1]) to 
(^o[T],e[T]) is an MW-transition and it exists in Do*^. 

3) t>T-l: 

By Lemma 1^ we know that 

Hence, the transition from (<jo[f], e[f]) to {oo[t-\-l],e[t-\- 
1]) is a WW-transition and it exists in Do\ 

Therefore, 70 is consistent and we can conclude the proof. 


□ 


